This post is about a batch script I wrote to help automate accessing Volume Shadow Copies (VSCs). I'm not going to discuss the forensic value of VSCs or different ways to access them since I couldn't add to what is already out there. For this type of information check out Harlan's Assessing Volume Shadow Copies post including the links he provides (one link is to Troy Larson's presentation slides), Lee Whitfield's Into the Shadows write-up, or the QCCIS whitepaper on recovering data from Volume Shadow Copies (this paper is the source of the for loops in my batch file). The information I can add is discussing a problem I was facing and how I addressed it. Recently, I've been working with VSCs on different volumes in different systems. When accessing the VSCs I found myself doing the same thing over and over again which was:

* Using the vssadmin list shadows command to list the VSCs for a specific volume. At times I'd redirect the command's output to a text file for documentation purposes.

* Changing the for loop with the mklink command to reflect the VSCs I wanted hard links created for.

* Running the for loop with the mklink command to create the hard links.

* Examining the data of interest in the VSCs.

* Changing the for loop with the rd command to reflect the hard links I wanted to delete.

* Running the for loop with the rd command to delete the hard links.

Going through the above process worked fine. However, I wanted a faster way to access the VSCs without always having to make changes to a saved command or batch file. I'd rather just run one script that allowed me to specify what action to take and what VSCs to create links for. So I read a few articles on batch files and this is the solution I came up with to meet my need. I thought a few screenshots would help show the functionality of the script before I posted the code.
﻿﻿﻿﻿

Menu appears when batch file is executed

﻿﻿﻿﻿﻿﻿

List VSCs selection shows the option to save output to a text file

﻿﻿﻿

List VSCs selection prompts for volume to list the VSCs for

﻿

List VSCs selection showing that the C volume doesn't have any VSCs

﻿﻿

Create links selection prompts for the range of VSCs to create hard links for

﻿﻿

Remove links selection prompts for the range of hard links to delete

﻿ As the screenshots show, the batch file made things a lot easier and I no longer have to keep changing saved commands or simple batch files. Now I just run a script and specify a few parameters so I can focus on the data I'm after in the VSCs. The text below is the batch file I'm talking about. To create a batch file for yourself, copy the text into a text file and save the file with a .bat extension. It can be run from anywhere on the forensic workstation that's being used to examine the VSCs. Enjoy ...

@echo offREM Author: Corey Harrell (Journey into IR)REM The batch file can be executed from anywhere on a computer by double-clicking on it or calling it from the command lineREM The only change required is the name and location of the hard links being created. The script uses C:\vsc so this can be changed for your environmentREM Script starts here ...REM The goto statement below makes the script process the menu function.goto :menu:menu REM The menu function allows you to select one of the following: list all of the VSCs for a drive, create hard links to VSCs, or remove hard links pointing to VSCs echo Press 1 to list the Volume Shadow Copies on a drive echo Press 2 to create hard links to Volume Shadow Copies on a drive echo Press 3 to remove hard links to Volume Shadow Copies echo Press 4 to exit set /p selection= Enter your selection: cls REM The if statements below makes the script process a specific function based on the selection made. if %selection% == 1 goto :listvsc if %selection% == 2 goto :makelink if %selection% == 3 goto :removelink REM Selection 4 is to exit the script and this will result in the goto below being called goto :EOF:listvsc REM The listsvc function list the Volume Shadow Copies for the selected drive setlocal REM The line below lets you save a text file listing the VSCs injunction with the VSCs being displayed on the screen. This is helpful if the listing of VSCs has to be documented. set /p output=Do you want the output to be saved as a text file [y/n] cls echo Enter the letter of the drive to list the Volume Shadow Copies for (do not include the colon) set /p drive=Enter the drive letter: cls REM The if statement below will create a text file listing the VSCs if this option was slected. The output file is created in the same folder where the batch file is executed from. if %output%== y (vssadmin list shadows /for=%drive%: > list-vscs.txt) vssadmin list shadows /for=%drive%: echo The Volume Shadow Copies for the %drive% drive have been listed pause endlocal cls REM The goto statement below makes the script loop back to the menu goto :menu:makelink REM makelink function creates hard links to the VSCs lists for the selected drive echo Configuring what Volume Shadow Copies to create hard links for REM The next part of the script sets the variables for the start and end parameters in the for loop. setlocal REM The vssadmin list shadows command provides the VSC numbers. The start parameter is the first VSC to create a link to while the end parameter is the last VSC to create a link to. set /p start=Enter the VSC number to start with: set /p end=Enter the VSC number to stop at: cls REM The script uses c:\vsc for the location and name of the hard links. The location (c:) and name (vsc) of the hard links can be changed to whatever you choose for /l %%f in (%start%,1,%end%) do mklink /j c:\vsc%%f \\?\GLOBALROOT\Device\HardDiskVolumeShadowCopy%%f\ echo Hard links created for VSC %start% to %end% pause cls endlocal REM The goto statement below makes the script loop back to the menu goto :menu:removelink REM removelink function removes the hard links to VSCs that were created on the computer echo Configuring the hard links to remove. REM The next part of the script sets the variables for the start and end parameters in the for loop. setlocal REM The start and stop parameters are for the numbers in the names of the hard links set /p start=Enter the number in the name of the hard link to start at: set /p end=Enter the number in the name of the hard link to stop at: cls REM The location and name of the hard links below must be changed to match what was used in the makelink function for /l %%f in (%start%,1,%end%) do rd c:\vsc%%f echo Hard links removed for link %start% to %end% pause cls endlocal REM The goto statement below makes the script loop back to the menu goto :menu